Get any mail about the Financial Services Modernization Act? You're not alone. Insurers and financial institutions are flooding customers' mailboxes about their rights to protect medical and financial information under what's better known as the Gramm-Leach-Bliley Act. But just how GLB will affect health plans isn't totally clear.

GLB requires affected institutions to mail privacy notices to customers, stating their policies for protecting people's information and how that information is shared with third parties. With respect to health insurers, it allows states to set rules for use of medical information they keep on file. But Charles Kahn, president of the Health Insurance Association of America, asked states to keep the expense of various initiatives in mind and not "throw more fuel on the cost fire." No one seems certain exactly how much compliance will cost insurers.

HIAA has reason to be concerned. Transgressing GLB could mean fines of up to $11,000 per violation, as well as criminal penalties.

Christi Harlan, a spokesman for the Senate Banking Committee, says privacy notices appear to be more of an issue for financial institutions than for health plans. Insurers, she says, "seem to be meeting Congress's intent, but we're in a wait-and-see position," because not every state has enacted legislation.

GLB requires state legislatures and insurance regulators to craft requirements for complying with the federal guidelines. "Most states have a July 1 compliance date, the same as the federal financial institutions — and most of them have passed legislation," notes Kathleen Jensen of the National Association of Independent Insurers. In those states, a majority of insurers already have sent out notices, Jensen reports.

Now follow closely

Generally, the privacy notifications used by insurers about disclosure of financial information are similar to those used by banks. The National Association of Insurance Commissioners (NAIC) and National Conference of Insurance Legislators have models that follow the language of GLB very closely.

However, while both models include health insurance lines, NAIC's model also includes workers' compensation (which falls under property and casualty). Under both models, consumers would "opt in" for disclosure of health information, and "opt out" for disclosure of financial information. "If nonpublic personal health information is being disclosed to third parties, it's opt-in," Jensen explains.

She notes that "quite a few states" have not adopted the health portion of the NAIC model — called Article 5 — such that references in some states may refer to adoption of the NAIC provisions "except for Article 5."

"From what I understand from our member companies, there is a little concern that all state legislatures have not closed yet" and are still looking at bills that could suddenly change the requirements for insurers operating in those states. California and Texas, for instance, haven't yet acted. "In California, one of the pieces of legislation calls for opt-in for everything. If that passes, insurers that have mailed out notifications would need to send out another notice."

That, Jensen admits, is "frustrating to a number of insurers" that hoped to know by now what they would need to do to comply in all states, though, "I don't think any have held off sending notices to customers" as a result.

Joe Holahan, director and counsel for policy development at HIAA, agrees that it's "a little soon to tell" what the effects of GLB may be. The NAIC model regulation may not be perfect, he says, "but in states that pass it, there shouldn't be any immediate problems." That regulation allows insurers and health plans to continue to use consumers' information for insurance- and health care-related activities without individual permission. But Holahan sees a potential problem: "There's a specific list of activities that are permitted that could develop into a problem later. There may be legitimate activities not contemplated in that list. Ten years ago, we would never have dreamed of some of the things that plans are doing today, in terms of case management and other areas. A fixed list could become a problem."

What's most worrisome to Holahan is the possibility that some states would adopt opt-in requirements "for things that are generally considered insurance-related." Even small variations among state laws may add to the cost of compliance, and could increase the time needed to provide benefits or process claims.

"Information zips from state to state, so you could have several states involved. Look at utilization review. You could have a patient in one state, a doctor in another, the UR agent in a third, and the insurance company with a database in a fourth." In such a situation, Holahan says, the insurer would have to determine what the each of the states' laws are and which has the most stringent requirements. That could become a problem in states such as Massachusetts, which is looking at requirements that could differ substantially from the NAIC model.

Medical vs. financial

Jose Montemayor, Texas insurance commissioner and vice chairman of the NAIC task force on GLB, says the law is part of a larger attempt by legislators and regulators to overhaul insurance and financial practices.

"In general, the big push is to modernize all of our regulatory processes, to acknowledge the realities of a more globalized market," Montemayor says. GLB, he adds, is part of that effort.

The biggest consideration in crafting GLB-compliance laws is determining how to treat medical, versus financial, privacy concerns. "Medical information is different from financial information. We all recognize that," he says. The financial information is an opt-out standard, which was developed with the guidance of the Federal Reserve Board, the Office of Thrift Supervision and the Comptroller of the Currency. "When you get to medical information, it's treated differently." Part of the reason is that medical information is needed by third-party administrators for determination of benefits; by agents who produce the business; and by "carve-outs" to assure that the information is available to entities that really need it, while preventing its dissemination to others who don't.

Financial institutions, more than insurers, have been the object of federal scrutiny — in part because insurance regulation is still largely left to the states, and because of the rise of "identity theft." The Federal Trade Commission cited GBL in its "Operation Detect Pretext," an effort to protect consumers from companies that obtain customer information under false pretenses — a practice known as pretexting. The Federal Deposit Insurance Corp. has issued guidelines aimed at preventing identify theft via unintentional release of information about customers to those who shouldn't have access to the information. GLB, the FTC noted, "prohibits individuals from obtaining a customer's information from a financial institution or from the customer [by way of] false representation, fictitious documents or forgery."

Meanwhile, health plans are waiting to see what changes GLB ultimately will make and hoping for some uniformity of standards.

"We'd at least like to get beat with the same stick," says one health plan executive.